Back

Monitor the performance of the governance, risk, and compliance capability.


CONTROL ID
12857
CONTROL TYPE
Monitor and Evaluate Occurrences
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Monitoring and measurement, CC ID: 00636

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • overall internal governance– whether the institution's overall internal governance arrangements are adequate in relation to the institution's ICT systems; and (Title 2 2.1 22.b, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Compliance with information security requirements (e.g. technical specifications) is verified at regular intervals. (1.5.1 Requirements (must) Bullet 4, Information Security Assessment, Version 5.1)
  • Interbank payments can be abused by criminals. International policymakers have taken steps intended to increase the transparency of interbank payments, allowing law enforcement agencies to more easily trace payments related to, for example, drug trafficking or terrorism. The Funds Transfer Regulatio… (3.2.13 ¶ 2, Financial Crime Guide: A Firm’s Guide to Countering Financial Crime Risks, Release 11)
  • Prioritise and plan the control activities at all levels to implement the risk responses identified as necessary, including identification of costs, benefits and responsibility for execution. Obtain approval for recommended actions and acceptance of any residual risks, and ensure that committed acti… (PO9.6 Maintenance and Monitoring of a Risk Action Plan, CobiT, Version 4.1)
  • Monitor and periodically evaluate the performance of the capability to ensure it is designed and operated to be effective, efficient, and responsive to change. (OCEG GRC Capability Model, v. 3.0, R1 Monitoring, OCEG GRC Capability Model, v 3.0)
  • how the results will be evaluated, including indicators for monitoring progress toward achievement of its measurable environmental objectives (see 9.1.1). (§ 6.2.2 ¶ 1 e), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • establishing compliance performance indicators and monitoring and measuring compliance performance; (§ 5.3.4 ¶ 2 g), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • be monitored; (§ 6.2 ¶ 2 d), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • The compliance management system should be monitored to ensure compliance performance is achieved. A plan for continual monitoring should be established, setting out monitoring processes, schedules, resources and the information to be collected. (§ 9.1.2 ¶ 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • In order to evaluate the effectiveness of the risk management framework, the organization should: - periodically measure risk management framework performance against its purpose, implementation plans, indicators and expected behaviour; - determine whether it remains suitable to support achieving t… (§ 5.6 ¶ 1, ISO 31000 Risk management - Guidelines, 2018)
  • assure itself of the accuracy of reports and evidence it receives, and the effectiveness of the internal control system. (§ 6.4.3.1 ¶ 1 d), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • whether the organizational values and governance policies are effectively guiding the organization, its culture and its ethical behaviour; (§ 6.4.3.2 ¶ 1 a), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • compliance (e.g. information received directly from the compliance function) regarding the organization's compliance culture and the meeting of its compliance obligations; (§ 6.4.3.2 ¶ 1 d), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • direct reports by, and private sessions with, internal audit as an independent provider of assurance, including insight and advice, on the effectiveness and performance of governance processes and the internal control system, in particular risk management and compliance management; (§ 6.4.3.3 ¶ 2 Bullet 3, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • measure performance against objectives related to socially responsible behaviour; (§ 6.10.3 ¶ 1 g), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • monitoring and responding to the behaviour, decisions and activities of the organization, e.g. values-driven behaviours pertaining to sustainability; (§ 6.3.3.2.2 ¶ 2 b), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The organization shall monitor the compliance management system to ensure compliance objectives are achieved. (§ 9.1.1 ¶ 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • be monitored; (§ 6.2 ¶ 2 d), ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • monitoring and measuring compliance performance; (§ 5.3.2 ¶ 1 bullet 4, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • the effectiveness of actions taken to address risks and opportunities (see 6.1); (9.3.2 ¶ 1(e), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • monitoring and measuring compliance performance; (§ 5.3.2 ¶ 4 bullet 1, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • be monitored; (§ 6.2 ¶ 2 d), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The organization shall monitor the compliance management system to ensure compliance objectives are achieved. (§ 9.1.1 ¶ 1, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • the IT asset management performance, including financial and non-financial performance; and (Section 9.1 ¶ 3 bullet 2, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • the performance of the mixed-responsibility activities is monitored in accordance with 9.1. (Section 8.8 ¶ 4 bullet 2, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • Regardless of the use of any technology, the governing body should set and oversee the achievement of outcomes that are aligned to its principles. Such principles can arise internally or be suggested or imposed by external organizations. (§ 6.1 ¶ 8, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • The organization reviews entity performance and considers risk. (Principle 16: Reviews Risk and Performance, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The organization sets targets to monitor the performance of the entity and support the achievement of the business objectives. For instance: (Setting Performance Measures and Targets ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The organization reports on risk, culture, and performance at multiple levels and across the entity. (Principle 20: Reports on Risk, Culture, and Performance, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Management's basis for its assertion usually relies heavily on monitoring of controls. Such monitoring activities typically include ongoing activities, separate evaluations, or a combination of the two. Ongoing monitoring activities are ordinarily built into the normal recurring activities of the se… (¶ 2.52, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Management's basis for its assertion usually relies heavily on monitoring of controls. Such monitoring activities typically include ongoing activities, separate evaluations, or a combination of the two. Ongoing monitoring activities are ordinarily built into the normal recurring activities of the se… (¶ 2.60, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Service organization management is responsible for having a reasonable basis for its assertion about the description, suitability of design of controls and, in a type 2 engagement, operating effectiveness of controls stated therein. Furthermore, because management's assertion generally addresses the… (¶ 2.58, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • A service organization's monitoring activities, and the reports generated from those activities, enable service organization management to periodically or continuously monitor the effectiveness of controls. (¶ 2.119, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Implementation of processes to monitor and report on control effectiveness. (VI.D Action Summary ¶ 2 Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Reviewing AIO operating results and performance (e.g., audit reporting, testing results, and management and assessment reports). (App A Objective 2:3e, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management uses control self-assessments, risk control self-assessments, or other methods to monitor the effectiveness of IT operations controls and gauge performance, assess the criticality of systems, and identify existing risks. Determine whether management evaluates results and… (App A Objective 17:3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether the board, or a board committee, is responsible for overseeing performance and compensation for the audit department. (App A Objective 6:4, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Develop, monitor, and report on the results of information security and privacy measures of performance. (PM-6 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Develop, monitor, and report on the results of information security and privacy measures of performance. (PM-6 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Develop, monitor, and report on the results of information security and privacy measures of performance. (PM-6 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • The organization develops, monitors, and reports on the results of information security measures of performance. (PM-6 Control:, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Provide leadership in the planning, design and evaluation of privacy and security related projects (T0897, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide leadership in the planning, design and evaluation of privacy and security related projects (T0897, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization develops, monitors, and reports on the results of information security measures of performance. (PM-6 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Develop, monitor, and report on the results of information security and privacy measures of performance. (PM-6 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Develop, monitor, and report on the results of information security and privacy measures of performance. (PM-6 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)